Follow

Microsoft Defender ATP FAQ

What is Microsoft Defender ATP?

Microsoft Defender ATP is a unified endpoint security platform for preventative protection, post-breach detection, automated investigation, and response.

Integration:

How does Microsoft Defender ATP integrate with my Vectra platform?

Integration with Microsoft Defender ATP adds host context to aid in host identification during a security investigation. When Detect sees a host session come online, it polls Microsoft Defender ATP for host information. Host information may include the following:

  • Machine ID
  • Machine name
  • Operating system
  • Isolation status

Microsoft Defender ATP host context is available under the Host Details tab of individual Host pages.

How do I enable the Microsoft Defender ATP integration in Detect?

Microsoft Defender ATP is configured as an External Connector. In your Detect UI, navigate to Settings -> EDR Integrations -> Microsoft Defender ATP:

  • Select Edit on the far right-hand side.
  • Toggle Enable Microsoft Defender ATP integration to On.
  • Enter your Microsoft Defender ATP Tenant ID, Application ID, and Application Secret. If you do not have your Tenant ID, Application ID or Application Secret, please see next section for details on where to locate them.

mceclip0.png

  • Click Save.
  • Once the credentials have been validated, the UI will provide confirmation that your configuration has been saved.
  • Your Microsoft Defender ATP External Connector setup is now complete.

Where can I find my Microsoft Defender ATP Tenant ID, Application ID, and Application Secret to integrate with Vectra?

To get credentials for Microsoft Defender ATP for use with Vectra:

  • Log into portal.azure.com
  • Select the Azure Active Directory service.
  • Navigate to App registrations -> New registration.
  • In the registration form, choose a name for your application, and then select Register. Now you have a new application that you must assign the correct permissions to.
  • Once your new application has been created, select API permissions.
  • From the API permissions screen, select Add a permission.
  • Select APIs my organization uses, and search for WindowsDefenderATP.
  • Select Application permissions.
  • Select the AdvancedQuery.Read.All, Machine.Read.All and Machine.Isolate permissions.
  • Click Add permissions.
  • After you add the permissions, select Grant admin consent for [your organization].
  • Now your application now has all the permissions it needs. Next you will create a client secret.
  • From the Manage menu of your application, select Certificates & secrets.
  • Under the Client secrets section, click the New client secret button.
  • Provide a brief description and an expiration timeframe and click Add.
  • Make sure that you record this secret! This will be the Application Secret you enter into for your Microsoft Defender ATP External Connector in the Detect Ui. Please note that you will not be able to see this again after you leave this page.
  • Navigate to the Overview page from the left-hand menu of your application.
  • From the Overview page, record your Application (client) ID and Directory (tenant) ID.
  • You may now return to the Detect UI and enter the Tenant ID, Application ID and Application Secret you recorded above to complete the Microsoft Defender ATP External Connector setup.

Why do I not see Microsoft Defender ATP as an External Connector?

Vectra introduced native integration support for Microsoft Defender ATP in release version 5.7. Please make sure you are running Detect version 5.7 or greater. You can check the current software version by navigating to Settings -> General -> Version in the Detect UI.

Can I use Advanced search to query for Microsoft Defender ATP hosts?

Yes, you can use the following query on the Hosts index to pull a list of hosts with Microsoft Defender artifacts: 

host.host_artifact_set.type:windows_defender

Are there any Microsoft Defender ATP connectivity requirements?

All communication occurs between your Detect brain and the following two Microsoft URLs:

If you are experiencing connectivity issues, it may be necessary to configure your firewall rules to allow your Detect brain to communicate with login.windows.net and api.securitycenter.windows.com over port 443.

Host Lockdown Information:

Can Microsoft Defender ATP be used for Host Lockdown?

Yes, Detect release version 5.8 introduced support for Host Lockdown using Microsoft Defender ATP.

What is Host Lockdown?

Host Lockdown is a feature of Detect that gives users the ability to temporarily disable network hosts during a security investigation. Host Lockdown is enforced through the use of Microsoft Defender ATP's host isolation capabilities. Host Lockdown can run in an automated or manual mode. In automated mode, action is taken once privilege, threat and certainty score thresholds have been passed. In manual mode, a security analyst can isolate a host directly from a Detect Host page.

Why is disabling a host necessary during a security investigation?

Disabling a host isolates an attacker's machine from the network and prevents subsequent use of that machine for kill chain progression. Disabled hosts will limit an attacks blast radius, buying analysts critical time to conduct a thorough security investigation.

How does Host Lockdown work?

Host Lockdown requires Detect to be integrated with your Microsoft Defender ATP system. When a Host Lockdown is instantiated, Detect will notify Microsoft Defender ATP to isolate the host. 

How does a host get locked down?

There are two ways to utilize Host Lockdown:

  1. Manually, where a host is locked by a Detect user.
  2. Automatically, where Detect can be configured to automatically lock hosts based on configured Observed Privilege, Threat and Certainty score thresholds.

How do I manually lockdown a host?

Microsoft Defender ATP enabled hosts will have a Host Lockdown widget in the sidebar of individual host pages. From there you can enable or disable Lockdown. Host can be manually locked from 1 hour up to 24 hours, in pre-configured time ranges. To lock a host, simply click the Disable Host button and select a pre-configured time range from the dropdown. The host will automatically be re-enabled once the selected time range has expired. Please note that enabling or disabling manual lockdown on a host will require the Detect user to have the Edit Host Lockdown RBAC permission enabled.

How do I automatically lockdown a host?

In Detect, navigate to Settings EDR Integrations Host Lockdown. From here you can enable the Host Lockdown feature itself, along with Automatic Lockdown and its required thresholds. Once you have enabled Automatic Lockdown, you will have the option to configure the automatic lockdown period, which can range from 1 hour up to 24 hours, in pre-configured time ranges, and set the Observed Privilege, Threat and Certainty score thresholds. After automatic Lockdown has been enabled, anytime a host's scores exceed the Observed Privilege, Threat and Certainty thresholds, the host will be isolated in the corresponding EDR for the configured time range.

mceclip1.png

Where can I check the lockdown status of a host?

All hosts will have a Host Lockdown widget in the sidebar of individual Host pages. From here you can see the host's current Lockdown status. If a host is locked down, the status will show time until the host is re-enabled and the username of the Detect user that enabled lockdown for that host. There is also an AP endpoint (/api/v2.1/lockdown/host) where you can pull a list of all current hosts that have been disabled via Lockdown. Please note that viewing Lockdown status will require the Detect user to have the View Host Lockdown RBAC permission enabled.

Can Host Lockdown access be managed by RBAC permissions?

There are 2 sets of permissions associated with Host Lockdown for Microsoft Defender ATP:

Configuration of Host Lockdown:

View Settings - Microsoft Defender - controls who can view the Microsoft Defender ATP External Connector settings, which includes the Host Lockdown settings.

Edit Settings - Microsoft Defender - controls who can edit the Microsoft Defender External Connector settings, which includes the Host Lockdown settings.

Use of Host Lockdown:

Edit Host Lockdown: This allows users to manually lock or unlock individual hosts.

By default (assuming roles have not been modified), all of the above are automatically granted to the roles of Super Admin and Admin

If a host gets locked down, will existing/open sessions be terminated?

Yes. Once a host gets isolated via Host Lockdown, the host gets isolated from the network so existing user sessions will timeout and, or terminate.

Once a host has been locked down, how can host isolation be removed?

Hosts may be removed from isolation via the following methods:

  • A user manually re-enables the host via Detect
  • Disable timer expires
  • The host is removed from isolation outside of Detect (in Microsoft Defender ATP)

If I update my automatic Lockdown thresholds, will all hosts be re-evaluated?

No, adjusting the Lockdown thresholds will not retroactively apply to existing host scores, only when new host scores are calculated.

Is there API support for Host Lockdown?

Yes, for reporting of isolated hosts only. We may add support for enabling or disabling of hosts in a future release.

GET /api/v2.1/lockdown/host

[
  {
    "host_id": 10,
    "locked_by": "admin",
    "unlock_date": "2020-06-09T15:21:06Z",
    "host_name": "def-1",
    "lock_date": "2020-06-09T14:21:06Z"
  }
]

If a host is isolated outside of Detect (via Microsoft Defender ATP) how does that appear in Detect?

The host's Lockdown status will indicate "Isolated from outside Cognito." Detect will always honor the state of isolation from the Microsoft Defender ATP side. If isolation is set from the remote end, the host will need to be removed from isolation from the remote end.

Will the end user be notified when their host is locked down?

No, the end user is not notified whenever their host is disabled.

Will Detect administrators be notified when a host is locked down?

Yes, Detect admins will see email and syslog notifications when lockdown is enabled or disabled. Please note that in order to receive Host Lockdown email notifications, Host alert emails notification must be enabled under Settings / Notifications.

Log Information:

Where can I see a sample syslog notification for Lockdown?

Host Lockdown Sample Syslog

CEF:
CEF:0|Vectra Networks|X Series|5.7|host lockdown|Host Lockdown|3|externalId=3 cat=HOST_LOCKDOWN dvc=10.1.6.29 suser=vadmin host=def-3 cs1Label=action cs1=lock cs2Label=success cs2=True cs3Label=willRetry cs3=False cs4Label=Vectra Event URL cs4=https://10.1.6.29/hosts/3 start=1591212505805 end=1591212505805
Standard:
LOCKDOWN [host_lockdown@41261 category="HOST_LOCKDOWN" hostName="def-3" action="lock" success="True" willRetry="False" dvc="10.1.6.29" user="vadmin" URL="https://10.1.6.29/hosts/3" UTCTime="1591212505.8"]
JSON:
{"category": "HOST_LOCKDOWN", "version": "5.7", "success": true, "vectra_timestamp": "1591212505", "will_retry": false, "href": "https://10.1.6.29/hosts/3", "host_name": "def-3", "action": "lock", "host_id": 3, "headend_addr": "10.1.6.29", "user": "vadmin"}

Can I use advanced search to pull information on isolated hosts?

As of release version 5.8, Advanced search for Host Lockdown is not supported. We will introduce Advanced search support in a future release.
Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.